Security Experts:

Tech Firms Begin Rolling Out Patches For 'Shellshock' Bug

Security Information on CVE-2014-6271

Several organizations that use the GNU Bourne Again Shell (Bash) in their products have been hard at work producing software updates to address the recently discovered vulnerability dubbed "Shellshock" or "Bash Bug."

GNU Bash is a command-line shell used in Linux, Unix and Mac OS X operating systems which is installed not only on personal computers and servers, but also installed on other connected "Internet of Things" (IoT) devices. The vulnerability (CVE-2014-6271) affects version 1.14 and later of the shell and can be exploited to execute arbitrary commands and take over affected machines.

Red Hat published a security update shortly after the existence of Shellshock came to light. However, it soon became clear that the fix had been incomplete since, according to Red Hat, "Bash still allowed certain characters to be injected into other environments via specially crafted environment variables." This second issue has been assigned CVE-2014-7169.

On Friday, both Red Hat and Fedora released patched versions of Bash to address this vulnerability. 

Over the weekend, Cisco confirmed that some of its products are affected by the vulnerability. The list includes network application, service, and acceleration products; network and content security devices; enterprise and service provider routing and switching solutions; unified computing; voice and unified communications devices; and video, streaming, telepresence and transcoding devices.

Several solutions shipped with or ones that leverage affected versions of Bash are still being investigated, Cisco said in its advisory. The company has released software updates to address the vulnerability.

Oracle has also started patching its products against CVE-2014-7169. The company has identified more than 40 solutions that are vulnerable, but so far it has produced software updates for only six of them: Oracle Database Appliance, Oracle Exadata Storage Server Software, Oracle Exalogic, Oracle Exalytics, Oracle Linux, and the Solaris operating system.

While many members of the security industry have warned that the Shellshock vulnerability might affect a lot of IoT devices, Red Hat has clarified in an FAQ that many embedded devices actually utilize more lightweight solutions, such as BusyBox, which includes a shell that is not vulnerable.

Mac OS X systems are affected by the flaw, but Apple has clarified that users should not be concerned, unless they have configured advanced UNIX services. The company says it is working on a patch for advanced UNIX users. Mac security firm Intego has published a blog post detailing two possible attack scenarios.

In the meantime, cybercriminals have already started exploiting the vulnerability in the wild. Trend Micro has observed several pieces of malware that leverage the flaw, including an IRC bot.

Related Reading: What We Know About Shellshock So Far, and Why the Bash Bug Matters

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.